SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

INTERNET STORM CENTER TECH CORNER***************************Sponsored By Malwarebytes******************* Cyberattacks and cybersecurity, or a lack thereof, grabbed media attention on both the corporate and consumer sides, even becoming a key issue in the US presidential election. In this respect, you could say that everyone, even those who have never logged on, was affected by cyberattacks and hacking in 2016. Check out this research paper." http://www.sans.org/info/192387 ***************************************************************************

TOP OF THE NEWS

GAO Report on U.S. Grid Resilience (February 27, 2017)

According to a report from the U.S. Government Accountability Office (GAO), the Department of Energy, the Department of Homeland Security, and the Federal Energy Regulatory Commission have worked together on 27 energy grid resiliency programs since 2013. The 27 projects address cybersecurity, physical security, and natural disasters. While some of the resilience programs overlap one another, GAO found that costs were not duplicated.

[Editor Comments]

[Murray] We desperately need a metric (e.g., mean-time to a 90% service level from a massive failure?) for infrastructure resilience. William Thomson, Lord Kelvin, taught that if you cannon measure it you cannot recognize its presence or its absence. W. Edwards Deming taught us that if you cannot measure it, you cannot improve it.

The Recording Industry Association of America (RIAA) and other digital copyright groups are asking U.S. legislators to require Internet service providers (ISPs) to filter out pirated content. Currently, the Digital Millennium Copyright Act (DMCA) offers ISPs safe harbor as long as they remove identified pirated content "expeditiously." The groups say that the current DMCA notice-and-takedown process is "burdensome - and ultimately ineffective."

[Editor Comments]

[Pescatore] Last week, Google and Bing signed agreements to filter links to pirated content in the UK from their search engines, a good thing. ISPs filtering known pirated content in the US could also be a good thing - especially if it then leads to the ISPs filtering known malware or attacks. Since illegal or malicious contents represents more than 60% of the bits flowing into Internet connections, the ISPs have long avoided doing so.

[Murray] Copyright holders should not be able to mandate costs on others to prop up their broken pricing scheme. When one's cost of replication falls, one should lower one's price and make up the profit in increased volume.

[Williams] I feel for copyright holders and have been on both sides of the DMCA myself. But the DMCA is bad legislation overall and this request would only make it worse. In order to implement the proposed requirement, ISP's would have to monitor all Internet traffic in inspect content to discover pirated content. This would be a disaster for privacy, especially if ISP's were required to decrypt traffic to find pirated content. Well-meaning legislation (protecting copyright holders) often has horrible side effects, particularly for privacy.

The SHA-1 collision attack announced last week could be used to break code repositories that use the Subversion (SVN) revision control system. The WebKit browser engine repository was corrupted by a demonstration of the method just hours after researchers from Google and the Netherlands announced their findings. Git (and Linux) founder Linus Torvalds is not very concerned about such an attack, because, he said, implementing some simple checks could thwart the attacks.

[Editor Comments]

[Murray] This demonstration tells security people what the strength and limitations of SHA-1 are, not that it is ineffective or unusable. While the cost of this attack will fall, perhaps even exponentially, we have ample time to address it.

[Honan] I agree with Linus Torvalds when he says "The sky isn't falling" in relation to this issue. While we still don't implement basic defences properly to defend against the likes of ransomware, phishing, etc. we need to focus on those basics tenets rather than the exotic attacks such as SHA-1 collisions

THE REST OF THE WEEK'S NEWS

A new option in the forthcoming Windows 10 Creators Update will allow the blocking of apps that are not from the Windows Store. The option would prevent classic Win32 apps from downloading, which could reduce the presence of bloatware and malware. Windows 10 does support Win32 apps, but only UWP apps may be distributed through the Microsoft Store. The Creators Update is expected to be released in April.

[Editor Comments]

[Pescatore] Apple iOS and Google Android have been making app stores the default for years now and the vast majority of users prefer that approach! It is long past time for Microsoft to work to drive the Windows world in the app store direction as the default. If gamers and other high end users want to disable it, no problem - but out of the box "curated" software controls should be the norm. Of course, Microsoft would have to invest in having a large and secure app store...

[Murray] I agree with John Pescatore. It is high time that Microsoft put security ahead of openness for openness sake and backward compatibility.

[Honan] Using the Windows Store is one way that Windows Mobile on Microsoft Smartphones prevents malware etc. from loading onto the device. However, as with all security controls we should not rely on just one control and restricting access to the Windows Store should not be an excuse to remove other anti-malware controls.

Proposed Legislation in UK Would Allow Justice Secretary to Order the Use of IMSI Catchers Around Prisons (February 27, 2017)

Legislation introduced in British Parliament last week would allow the use of IMSI catchers, or cell-site simulators, around prisons. The Justice Secretary would have the authority to order mobile networks to deploy the technology near prisons to prevent, detect, or investigate the use of mobile phones in prisons. Currently, the technology can be used only within prison walls and must be commissioned by prison governors.

D-Link Releases Fix for Switch Flaws (February 27, 2017)

D-Link has released a firmware update to address authentication bypass and information disclosure flaws in its DGS-1510 Websmart switch series. The currently available patches are in beta release but the risks posed by the vulnerabilities are serious enough that users would be well-advised to update right away.

Spiral Toys, which sells Internet connected stuffed animals called CloudPets that parents and children can use to send messages to each other, stored customer data in a public-facing database that required no authentication. The information was accessed and millions of messages have been held for ransom.

[Editor Comments]

[Murray] Mostly harmless but there may be nasty edge cases. May be threatening to the continuity of Spiral Toys. Innovators would do well to ask early "what could possibly go wrong?"

Google's Project Zero has disclosed a flaw in Microsoft's Internet Explorer and Edge browsers that could be exploited to crash the browsers and execute code. Project Zero notified Microsoft about the issue on November 25 and expressed surprise that the vulnerability has not yet been patched.

[Editor Comments]

[Williams] It's a little surprising that Microsoft didn't get patches out for this vulnerability that impacts such a wide user base. If anything, this illustrates just how hard it can be to meet Google's 90-day deadline. Without a deadline for release however, my experience is that most vendors will stall indefinitely always asking for more time. The vulnerability itself is a type confusion and is protected by Microsoft's Control Flow Guard (CFG), making exploitation more difficult to achieve. This difficulty may have contributed to Microsoft's decision to delay the patch.

The U.S. Attorney has announced that two people have been charged with wire fraud, conspiracy to commit wire fraud, and aggravated identity theft for their alleged roles in a gas station card skimming scheme. The affected gas pumps are in Florida, Alabama, Tennessee, and Virginia.

Airport Servers Exposed (February 24 & 27, 2017)

Server backups for Stewart International Airport in New Windsor, New York were found to have been exposed on the Internet for nearly a year. Stewart International Airport lies roughly 60 miles north of New York City. Internet connected storage drive with backup images of the airport's servers - neither the drive nor the images were password protected. The contractor responsible for the issue was notified and the drive appears to have been secured.

[Editor Comments]

[Northcutt] The security of backup data is always an an issue. However you do not expect it to be online and not password protected]

[Williams] This misconfiguration (and possible data loss) was caused by an a contractor. The key takeaway here is to examine your own service provider contracts and determine what responsibility the contracted party has to secure your data. Also determine what contract penalties apply if your data is not kept adequately secured. Finally, determine what their reporting requirements are - e.g. if they discover they have left your data exposed but fix the problem, are they required to notify you?